[Samba] Samba with AD : SID rejected
Rowland Penny
rpenny at samba.org
Fri Apr 26 12:29:21 UTC 2019
On Fri, 26 Apr 2019 10:39:47 +0200
Vincent Ducot via samba <samba at lists.samba.org> wrote:
>
> [libdefaults]
> default_realm = FOO.LAB
Now this could be a typo, but you show your REALM as 'FOO.LAB', which
would mean your dns domain is 'foo.lab'
> [realms]
> FOO.LAB = {
> kdc = dc.test.lan
> }
But your kdc's dns domain appears to be 'test.lan'
> [global]
> security = ADS
> workgroup = FOO
> realm = FOO.LAB
> netbios name= share
>
> log file = /var/log/samba/%m.log
> log level = 10
>
> preferred master = no
> domain master = no
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
>
> idmap config * : backend = tdb
> idmap config * : range = 3000-7999
> idmap config FOO:backend = ad
> idmap config FOO:schema_mode = rfc2307
> idmap config FOO:range = 10000-999999
> idmap config FOO:unix_nss_info = yes
> idmap config FOO:unix_primary_group = yes
For the above to work, any users you want to be Unix users must have
a uidNumber attribute containing a unique number inside the range set
for the domain in smb.conf, in this case '10000-999999'.
You will also need to give Domain users a gidNumber attribute
containing a number inside the same range.
Because you have also set 'unix_primary_group = yes', you can also give
your users a gidNumber attribute containing the ID (gidNumber) of a
group, this would then override the users Windows primary group (Domain
Users), but only when logged into a Unix machine and not when
connecting to a share.
> winbind nss info = rfc2307
You no longer use the line above
> unix password sync = yes
The line above is no longer required, you cannot have domain users
in /etc/passwd.
Rowland
More information about the samba
mailing list